Documentation
¶
Overview ¶
Package pki allows to manage Kubernetes PKI certificates.
Index ¶
Constants ¶
View Source
const ( // KubernetesCACN is a default CN for Kubernetes CA certificate, as recommended by // https://kubernetes.io/docs/setup/best-practices/certificates/. KubernetesCACN = "kubernetes-ca" // KubernetesFrontProxyCACN is a default CN for Kubernetes front proxy CA certificate, // as recommended by https://kubernetes.io/docs/setup/best-practices/certificates/. KubernetesFrontProxyCACN = "kubernetes-front-proxy-ca" )
View Source
const ( // RSABits is a default private key length. Default is 2048, as it's quite secure and generating // 4096 keys takes a lot of time and increases generation time by the factor of 10. Once generation // process is done in parallel, it should be increased. RSABits = 2048 // Organization is a default organization name in generated certificates. Organization = "organization" // ValidityDuration is a default time the certificates are valid. Defaults to 365 days. ValidityDuration = "8760h" // RenewThreshold defines minimum remaining validity time for the certificate, before // is will be renewed. RenewThreshold = "720h" // X509CertificatePEMHeader is a PEM format header used while encoding X.509 certificates. X509CertificatePEMHeader = "CERTIFICATE" // RSAPrivateKeyPEMHeader is a PEM format header user while encoding RSA private keys. RSAPrivateKeyPEMHeader = "RSA PRIVATE KEY" // RSAPublicKeyPEMHeader is a PEM format header user while encoding RSA public keys. RSAPublicKeyPEMHeader = "RSA PUBLIC KEY" // RootCACN is a default CN for root CA certificate. RootCACN = "root-ca" )
View Source
const ( // EtcdCACN is a default CN for etcd CA certificate, as recommended by // the https://kubernetes.io/docs/setup/best-practices/certificates/. EtcdCACN = "etcd-ca" )
Variables ¶
This section is empty.
Functions ¶
func ValidatePrivateKey ¶ added in v0.4.3
ValidatePrivateKey validates given private key in PEM format. If decoding or parsing fails, error is returned.
Types ¶
type Certificate ¶
type Certificate struct {
// Organization stores value for 'organization' field in the certificate.
Organization string `json:"organization,omitempty"`
// RSABits defines length of RSA private key to generate.
//
// Example value: '2048'.
RSABits int `json:"rsaBits,omitempty"`
// ValidityDuration defines how long generated certificates should be valid.
//
// Example value: '24h'.
ValidityDuration string `json:"validityDuration,omitempty"`
// RenewThreshold defines how long before expiry date the certificates should
// be re-generated.
RenewThreshold string `json:"renewThreshold,omitempty"`
// CommonName defined CN field for the certificate.
CommonName string `json:"commonName,omitempty"`
// CA controls if certificate should be self-signed while generated.
CA bool `json:"ca,omitempty"`
// KeyUsage is a list of key usages. Valid values are:
// - "digital_signature"
// - "content_commitment"
// - "key_encipherment"
// - "data_encipherment"
// - "key_agreement"
// - "cert_signing"
// - "crl_signing"
// - "encipher_only"
// - "decipher_only"
// - "any_extended"
// - "server_auth"
// - "client_auth"
// - "code_signing"
// - "email_protection"
// - "ipsec_end_system"
// - "ipsec_tunnel"
// - "ipsec_user"
// - "timestamping"
// - "ocsp_signing"
// - "microsoft_server_gated_crypto"
// - "netscape_server_gated_crypto"
KeyUsage []string `json:"keyUsage,omitempty"`
// IPAddresses defines for which IP addresses the certificate can be used.
IPAddresses []string `json:"ipAddresses,omitempty"`
// DNSNames defines extra hostnames, which will be valid for the certificate.
DNSNames []string `json:"dnsNames,omitempty"`
// X509Certificate stores generated certificate in X.509 certificate format, PEM encoded.
X509Certificate types.Certificate `json:"x509Certificate,omitempty"`
// PublicKey stores generate RSA public key, PEM encoded.
PublicKey string `json:"publicKey,omitempty"`
// PrivateKey stores generates RSA private key in PKCS1 format, PEM encoded.
PrivateKey types.PrivateKey `json:"privateKey,omitempty"`
}
Certificate defines configurable options for each certificate.
func (*Certificate) DecodeX509Certificate ¶ added in v0.4.3
func (c *Certificate) DecodeX509Certificate() (*x509.Certificate, error)
DecodeX509Certificate returns parsed version of X.509 certificate, so one can read the fields of generated certificate.
func (*Certificate) Generate ¶
func (c *Certificate) Generate(caCert *Certificate) error
Generate ensures that all fields of the certificate are populated.
This function currently supports:
- Generating new RSA private key and public key.
- Generating new X.509 certificates.
- Re-generating X.509 certificate if IP addresses changes.
NOT implemented functionality:
- Renewing certificates based on expiry time.
- Renewing X.509 certificate after RSA private key renewal.
- Renewing issued certificate during CA renewal.
func (*Certificate) IsX509CertificateUpToDate ¶ added in v0.4.3
func (c *Certificate) IsX509CertificateUpToDate() (bool, error)
IsX509CertificateUpToDate checks, if generated X.509 certificate is up to date with it's configuration.
func (*Certificate) Validate ¶
func (c *Certificate) Validate() error
Validate validates the certificate configuration.
type Etcd ¶
type Etcd struct {
// Inline Certificate struct, so some settings can be applied as defaults for all etcd certificates.
Certificate
// CA stores etcd CA certificate.
CA *Certificate `json:"ca,omitempty"`
// Peers is a map of peer certificates to generate, where key is name of the peer and value
// is the IP address on which peer will be listening on.
Peers map[string]string `json:"peers,omitempty"`
// Servers is a map of server certificates to generate, where key is the CN of the client
// certificate and value is the IP address on which the server will be listening on.
Servers map[string]string `json:"servers,omitempty"`
// ClientCNS is a list of client certificate Common Names to generate.
ClientCNs []string `json:"clientCNs,omitempty"`
// PeerCertificates defines and stores all peer certificates.
PeerCertificates map[string]*Certificate `json:"peerCertificates,omitempty"`
// ServerCertificates defines and stores all server certificates.
ServerCertificates map[string]*Certificate `json:"serverCertificates,omitempty"`
// ClientCertificates defined and stores all client certificates.
ClientCertificates map[string]*Certificate `json:"clientCertificates,omitempty"`
}
Etcd stores etcd PKI and their settings.
func (*Etcd) Generate ¶
func (e *Etcd) Generate(rootCA *Certificate, defaultCertificate Certificate) error
Generate generates etcd PKI.
type KubeAPIServer ¶
type KubeAPIServer struct {
// Certificate stores default settings for all kube-apiserver certificates.
Certificate
// ExternalNames is a helper to ServerCertificate, which allows setting allowed DNS
// names while connecting to kube-apiserver.
ExternalNames []string `json:"externalNames,omitempty"`
// ServerIPs is a helper to ServerCertificate, which allows setting on which IP addresses
// kube-apiserver can be available.
ServerIPs []string `json:"serverIPs,omitempty"`
// ServerCertificate stores service certificate for HTTPS server.
ServerCertificate *Certificate `json:"serverCertificate,omitempty"`
// KubeletCertificate stores client certificate used for talking to kubelet on the nodes.
KubeletCertificate *Certificate `json:"kubeletCertificate,omitempty"`
// FrontProxyClientCertificate stores client certificate used for talking to extending
// API servers.
FrontProxyClientCertificate *Certificate `json:"frontProxyClientCertificate,omitempty"`
}
KubeAPIServer stores kube-apiserver certificates.
type Kubernetes ¶
type Kubernetes struct {
// Certificate stores default settings for all Kubernetes certificates.
Certificate
// CA stores Kubernetes CA certificate and it's settings.
CA *Certificate `json:"ca,omitempty"`
// FrontProxyCA stores Kubernetes front-proxy CA certificate, required for API aggregation.
FrontProxyCA *Certificate `json:"frontProxyCA,omitempty"`
// KubeAPIServer stores kube-apiserver specific certificates.
KubeAPIServer *KubeAPIServer `json:"kubeAPIServer,omitempty"`
// AdminCertificate stores Kubernetes admin certificate.
AdminCertificate *Certificate `json:"adminCertificate,omitempty"`
// KubeControllerManagerCertificate stores kube-controller-manager client certificate.
KubeControllerManagerCertificate *Certificate `json:"kubeControllerManagerCertificate,omitempty"`
// KubeSchedulerCertificate stores kube-scheduler client certificate.
KubeSchedulerCertificate *Certificate `json:"kubeSchedulerCertificate,omitempty"`
// ServiceAccountCertificate stores public and private key used for signing and verifying
// service account tokens by kube-controller-manager and kube-apiserver.
ServiceAccountCertificate *Certificate `json:"serviceAccountCertificate,omitempty"`
}
Kubernetes stores Kubernetes PKI and settings.
func (*Kubernetes) Generate ¶
func (k *Kubernetes) Generate(rootCA *Certificate, defaultCertificate Certificate) error
Generate generates Kubernetes PKI.
type PKI ¶
type PKI struct {
// Certificate contains default settings for all certificates in PKI.
Certificate
// RootCA contains configuration and generated root CA certificate and private key.
RootCA *Certificate `json:"rootCA,omitempty"`
// Etcd contains configuration and generated all etcd certificates and private keys.
Etcd *Etcd `json:"etcd,omitempty"`
// Kubernetes contains configuration and generated all Kubernetes certificates and private keys.
Kubernetes *Kubernetes `json:"kubernetes,omitempty"`
}
PKI contains configuration and all generated certificates and private keys required for running Kubernetes.
Source Files
Click to show internal directories.
Click to hide internal directories.